Cybercriminals are using legitimate software like GoTo Meeting to distribute Remcos Remote Access Trojan (RAT) using a bunch of lures, from adult content to tax forms. This highlights the urgent need for businesses and individuals to remain vigilant and proactively protect their systems and data from these sophisticated attacks.
This campaign uses enticing bait such as adult content, software installation files, and tax documents. The files are cleverly named in Russian and English, targeting a broad audience and avoiding detection.
A detailed analysis of the attack reveals a complex LNK execution chain, exemplified by the file myrecentfiles23.zip. At the heart of this chain lies myrecentfiles.Ink, a Windows shortcut file carefully crafted to appear innocuous with a PDF icon.
“Legitimate applications can unwittingly become conduits for malware execution. This is also the case for recent malware loaders which abuse GoTo Meeting, an online meeting software, to deploy Remcos RAT. Their lures include adult-content downloads, software setup files as well as tax forms with file names in Russian and English language,” the researchers said.
Upon double-clicking myrecentfiles.Ink, it simultaneously opens a benign PDF file named MLD.pdf while executing winsys.odt, a seemingly legitimate GoTo Meeting PE32 file.
The inclusion of MLD.pdf lowers suspicion, as users expect a PDF file when licking on a PDf icon. However, the choice of an outdated tax form from the year 2022 raises questions about the effectiveness of this camouflage.
The exploitation continues as the GoTo Meeting executable loads a DLL file named g2m.dll from the same folder. Ordinarily, GoTo Meeting would loan a clean g2m.dll file; however, in this infection chain, DLL sideloading is employed to execute the malicious DLL instead, bypassing typical security measures.
The malicious DLL, written in Rust and identifiable by its statically linked Rust libraries, exports 20 functions purportedly for GoTo Meeting. However, these functions lead to the same address with empty functionality, rendering GoTo Meeting inoperable. Nonetheless, the DLLMain of g2m.dll executes, enabling the malware loader to proceed.
The Rust code within the malicious DLL reads the data.bin file, allocates Read-Write-Execute (RWX) memory, and spawns a new thread to execute its contents. Notably, data.bin contains shellcode and encrypted payload data. The shellcode handles the decryption and execution of the payload, ultimately leading to the deployment of the Remcos RAT.
Further investigations into related files on VirusTotal unveiled an expansive scope of this attack methodology. Initial infectors, spanning various languages and targeting diverse demographics, were identified through shared elements such as the g2m.dll file or the decoy PDF by hash.
Among the discovered elements, researchers found fake setups for LeonardoAI2, OnlyFans Livestreams, tax documents, organisers, and a Russian ZIP file titled “ЗаявканаГеоприборы.rar.zip” (translated to “application for geodevices”).
These findings highlight the adaptability of cybercriminals in tailoring their attacks to exploit specific interests and vulnerabilities among diverse demographics.
Researchers discovered a notable variant in the execution chain in a JScript file related to adult content. This JScript file initiates an alternate execution chain, downloading a PowerShell script from rentry.co, a markdown paste service. The PowerShell script orchestrates the download of file2.zip and establishes persistence via a RunBatchFile.Ink in the startup folder, thereby perpetuating the malware cycle.
In the News: Windows 11 test build shows extensible Start menu widgets
